Discrete-Log-Based Additively Homomorphic Encryption and Secure WSN Data Aggregation Licheng Wang 1,2 , Lihua Wang 2 , Yun Pan 3 , Zonghua Zhang 2 , and Yixian Yang 1 1 Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications 10 West Tucheng Road, Beijing, P.R. China 100876 2 Security Fundamental Group, Information Security Research Center National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi, Koganei-shi, Tokyo, 184-8795 Japan 3 School of Computer, Communication University of China 1 East Street of Dingfuzhuang, Beijing, P.R. China 100024 {wanglc,wlh,zonghua}@nict.go.jp, pany@cuc.edu.cn, {wanglc,yxy}@bupt.edu.cn Abstract. At PKC 2006, Chevallier-Mames, Paillier, and Pointcheval proposed encryption schemes that are partially homomorphic, either ad- ditively or multiplicatively and announced an open research problem: finding a discrete-log-based cryptosystem that would help realize fully additive or multiplicative homomorphism. In this study, we achieve this goal by lifting the message space of the ElGamal scheme from M to g M 0 . We then apply our scheme for constructing a novel protocol for secure data aggregation in Wireless Sensor Networks. Keywords: Discrete-logarithm problem, additively homomorphic en- cryption, wireless sensor networks, data aggregation. 1 Introduction 1.1 Background: Homomorphic Encryption In general, we expect a cryptosystem to be as secure as possible. To this end, vari- ous security notions have been developed. The basic requirement for a cryptosys- tem is that adversaries must be prevented from learning confidential messages. This is the so-called security notion of one-wayness (OW) and was recognized even before 2500 B.C. With the development of modern cryptogra- phy, particularly after the advent of public-key cryptosystems [7], new desirable security notions were conceived. Naor suggested that different security notions for encryption should be defined by orthogonally considering the various possible goals and the various possible attack models [1]. Typically, two goals, namely, indistinguishability (IND) [13] and non-malleability (NM) [8], and three attack models, namely, chosen-plaintext attack (CPA), non-adaptive chosen-ciphertext attack (CCA1) [14], and adaptive chosen-ciphertext attack (CCA2) [16], have S. Qing, C.J. Mitchell, and G. Wang (Eds.): ICICS 2009, LNCS 5927, pp. 493–502, 2009. c  Springer-Verlag Berlin Heidelberg 2009